kernel 6.5: memfd_create() called without MFD_EXEC or MFD_NOEXEC_SEAL set

RolandK

Renowned Member
Mar 5, 2019
962
191
88
51
there have been changes in memfd kernel api ( https://lwn.net/Articles/918106/ )

i'm getting these messages with recent pve and pbs:

root@pbsvm:~# dmesg |grep memfd
[ 42.570992] kvm[1162]: memfd_create() called without MFD_EXEC or MFD_NOEXEC_SEAL set

# dmesg |grep memfd
[ 14.631522] lxc-autostart[866]: memfd_create() called without MFD_EXEC or MFD_NOEXEC_SEAL set

is lxc and kvm/qemu upstream projects informed, that they may need to adjust their code?

i did not yet find anything on that, should i add an RFE in proxmox bugzilla for tracking this ?
 
  • Like
Reactions: esi_y
I would not worry too much about it. I found this in the 6.5 kernel thread:
We already added a stop-gap, reverting this warning to a single-time one with the next version of this kernel, just like usptream did too.
As there's not much to fix here, but to improve a few things that have to be done very carefully to not break existing use-cases and people migrating from older kernels.
 
added upstream issue for kvm/qemu at https://gitlab.com/qemu-project/qemu/-/issues/2060

for lxc, issue already exists since may https://github.com/lxc/lxc/issues/4315
Thanks for these links.

From my reading, this looks like a harmless warning, as far as the Proxmox node is concerned. I think it's there because the kvm devs haven't updated kvm yet to take advantage of the new, more secure memfd features, and the warning is designed to encourage them to do so (my alarming their users...?).
 
FYI
Code:
memfc_create () called without MFD_EXEC or MFD_NOEXEC_SEAL set
started to appear when i changed line in /etc/default/grub
to GRUB_CMDLINE_LINUX_DEFAULT="mitigations=off"
Servers in internal network, performance more important than worying about Spectre and Meltdown vulnerability
 
Last edited:
For me everything is solved with installation of Linux 6.5.11-7-pve kernel.
Working without problems with mitigations=off
Live migrated 400GB server image /over 10Gbit network/ and lot of smaller ones, LInux and Windows,
Cluster has uptime about 14 days after complete upgrade, about 50 VMs

although message memfc_create () called without MFD_EXEC or MFD_NOEXEC_SEAL set still appears after boot
 
Last edited:

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!